Upgrade 1-11.38

vendor/symfony/security/Http/RememberMe/AbstractRememberMeServices.php

@@ -11,18 +11,18 @@
 
 namespace Symfony\Component\Security\Http\RememberMe;
 
-use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\User\UserInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Cookie;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
-use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CookieTheftException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
-use Symfony\Component\Security\Core\Exception\CookieTheftException;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Cookie;
-use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
 use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
@@ -35,26 +35,23 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
     const COOKIE_DELIMITER = ':';
 
     protected $logger;
-    protected $options = array(
+    protected $options = [
         'secure' => false,
         'httponly' => true,
-    );
+        'samesite' => null,
+    ];
     private $providerKey;
     private $secret;
     private $userProviders;
 
     /**
-     * Constructor.
-     *
-     * @param array           $userProviders
      * @param string          $secret
      * @param string          $providerKey
-     * @param array           $options
      * @param LoggerInterface $logger
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(array $userProviders, $secret, $providerKey, array $options = array(), LoggerInterface $logger = null)
+    public function __construct(array $userProviders, $secret, $providerKey, array $options = [], LoggerInterface $logger = null)
     {
         if (empty($secret)) {
             throw new \InvalidArgumentException('$secret must not be empty.');
@@ -62,7 +59,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
         if (empty($providerKey)) {
             throw new \InvalidArgumentException('$providerKey must not be empty.');
         }
-        if (0 === count($userProviders)) {
+        if (0 === \count($userProviders)) {
             throw new \InvalidArgumentException('You must provide at least one user provider.');
         }
 
@@ -96,8 +93,6 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
      * Implementation of RememberMeServicesInterface. Detects whether a remember-me
      * cookie was set, decodes it, and hands it to subclasses for further processing.
      *
-     * @param Request $request
-     *
      * @return TokenInterface|null
      *
      * @throws CookieTheftException
@@ -105,8 +100,12 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
      */
     final public function autoLogin(Request $request)
     {
+        if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
+            return null;
+        }
+
         if (null === $cookie = $request->cookies->get($this->options['name'])) {
-            return;
+            return null;
         }
 
         if (null !== $this->logger) {
@@ -128,32 +127,38 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
 
             return new RememberMeToken($user, $this->providerKey, $this->secret);
         } catch (CookieTheftException $e) {
-            $this->cancelCookie($request);
+            $this->loginFail($request, $e);
 
             throw $e;
         } catch (UsernameNotFoundException $e) {
             if (null !== $this->logger) {
-                $this->logger->info('User for remember-me cookie not found.');
+                $this->logger->info('User for remember-me cookie not found.', ['exception' => $e]);
             }
+
+            $this->loginFail($request, $e);
         } catch (UnsupportedUserException $e) {
             if (null !== $this->logger) {
-                $this->logger->warning('User class for remember-me cookie not supported.');
+                $this->logger->warning('User class for remember-me cookie not supported.', ['exception' => $e]);
             }
+
+            $this->loginFail($request, $e);
         } catch (AuthenticationException $e) {
             if (null !== $this->logger) {
-                $this->logger->debug('Remember-Me authentication failed.', array('exception' => $e));
+                $this->logger->debug('Remember-Me authentication failed.', ['exception' => $e]);
             }
+
+            $this->loginFail($request, $e);
+        } catch (\Exception $e) {
+            $this->loginFail($request, $e);
+
+            throw $e;
         }
 
-        $this->cancelCookie($request);
+        return null;
     }
 
     /**
      * Implementation for LogoutHandlerInterface. Deletes the cookie.
-     *
-     * @param Request        $request
-     * @param Response       $response
-     * @param TokenInterface $token
      */
     public function logout(Request $request, Response $response, TokenInterface $token)
     {
@@ -163,22 +168,16 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
     /**
      * Implementation for RememberMeServicesInterface. Deletes the cookie when
      * an attempted authentication fails.
-     *
-     * @param Request $request
      */
-    final public function loginFail(Request $request)
+    final public function loginFail(Request $request, \Exception $exception = null)
     {
         $this->cancelCookie($request);
-        $this->onLoginFail($request);
+        $this->onLoginFail($request, $exception);
     }
 
     /**
      * Implementation for RememberMeServicesInterface. This is called when an
      * authentication is successful.
-     *
-     * @param Request        $request
-     * @param Response       $response
-     * @param TokenInterface $token    The token that resulted in a successful authentication
      */
     final public function loginSuccess(Request $request, Response $response, TokenInterface $token)
     {
@@ -218,17 +217,11 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
      * Subclasses should validate the cookie and do any additional processing
      * that is required. This is called from autoLogin().
      *
-     * @param array   $cookieParts
-     * @param Request $request
-     *
      * @return UserInterface
      */
     abstract protected function processAutoLoginCookie(array $cookieParts, Request $request);
 
-    /**
-     * @param Request $request
-     */
-    protected function onLoginFail(Request $request)
+    protected function onLoginFail(Request $request, \Exception $exception = null)
     {
     }
 
@@ -236,10 +229,6 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
      * This is called after a user has been logged in successfully, and has
      * requested remember-me capabilities. The implementation usually sets a
      * cookie and possibly stores a persistent record of it.
-     *
-     * @param Request        $request
-     * @param Response       $response
-     * @param TokenInterface $token
      */
     abstract protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token);
 
@@ -251,7 +240,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
             }
         }
 
-        throw new UnsupportedUserException(sprintf('There is no user provider that supports class "%s".', $class));
+        throw new UnsupportedUserException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?', $class));
     }
 
     /**
@@ -269,8 +258,6 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
     /**
      * Encodes the cookie parts.
      *
-     * @param array $cookieParts
-     *
      * @return string
      *
      * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.
@@ -279,7 +266,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
     {
         foreach ($cookieParts as $cookiePart) {
             if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) {
-                throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s"', self::COOKIE_DELIMITER));
+                throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s".', self::COOKIE_DELIMITER));
             }
         }
 
@@ -288,23 +275,19 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
 
     /**
      * Deletes the remember-me cookie.
-     *
-     * @param Request $request
      */
     protected function cancelCookie(Request $request)
     {
         if (null !== $this->logger) {
-            $this->logger->debug('Clearing remember-me cookie.', array('name' => $this->options['name']));
+            $this->logger->debug('Clearing remember-me cookie.', ['name' => $this->options['name']]);
         }
 
-        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
+        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'], false, $this->options['samesite']));
     }
 
     /**
      * Checks whether remember-me capabilities were requested.
      *
-     * @param Request $request
-     *
      * @return bool
      */
     protected function isRememberMeRequested(Request $request)
@@ -316,9 +299,9 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
         $parameter = ParameterBagUtils::getRequestParameterValue($request, $this->options['remember_me_parameter']);
 
         if (null === $parameter && null !== $this->logger) {
-            $this->logger->debug('Did not send remember-me cookie.', array('parameter' => $this->options['remember_me_parameter']));
+            $this->logger->debug('Did not send remember-me cookie.', ['parameter' => $this->options['remember_me_parameter']]);
         }
 
-        return $parameter === 'true' || $parameter === 'on' || $parameter === '1' || $parameter === 'yes' || $parameter === true;
+        return 'true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter;
     }
 }

vendor/symfony/security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php

@@ -11,14 +11,14 @@
 
 namespace Symfony\Component\Security\Http\RememberMe;
 
-use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
 use Symfony\Component\HttpFoundation\Cookie;
-use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
+use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\CookieTheftException;
-use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
 /**
  * Concrete implementation of the RememberMeServicesInterface which needs
@@ -29,13 +29,9 @@ use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  */
 class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
 {
+    /** @var TokenProviderInterface */
     private $tokenProvider;
 
-    /**
-     * Sets the token provider.
-     *
-     * @param TokenProviderInterface $tokenProvider
-     */
     public function setTokenProvider(TokenProviderInterface $tokenProvider)
     {
         $this->tokenProvider = $tokenProvider;
@@ -51,7 +47,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
 
         // Delete cookie from the tokenProvider
         if (null !== ($cookie = $request->cookies->get($this->options['name']))
-            && count($parts = $this->decodeCookie($cookie)) === 2
+            && 2 === \count($parts = $this->decodeCookie($cookie))
         ) {
             list($series) = $parts;
             $this->tokenProvider->deleteTokenBySeries($series);
@@ -63,7 +59,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
      */
     protected function processAutoLoginCookie(array $cookieParts, Request $request)
     {
-        if (count($cookieParts) !== 2) {
+        if (2 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie is invalid.');
         }
 
@@ -83,12 +79,14 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
         $request->attributes->set(self::COOKIE_ATTR_NAME,
             new Cookie(
                 $this->options['name'],
-                $this->encodeCookie(array($series, $tokenValue)),
+                $this->encodeCookie([$series, $tokenValue]),
                 time() + $this->options['lifetime'],
                 $this->options['path'],
                 $this->options['domain'],
                 $this->options['secure'],
-                $this->options['httponly']
+                $this->options['httponly'],
+                false,
+                $this->options['samesite']
             )
         );
 
@@ -105,7 +103,7 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
 
         $this->tokenProvider->createNewToken(
             new PersistentToken(
-                get_class($user = $token->getUser()),
+                \get_class($user = $token->getUser()),
                 $user->getUsername(),
                 $series,
                 $tokenValue,
@@ -116,12 +114,14 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
         $response->headers->setCookie(
             new Cookie(
                 $this->options['name'],
-                $this->encodeCookie(array($series, $tokenValue)),
+                $this->encodeCookie([$series, $tokenValue]),
                 time() + $this->options['lifetime'],
                 $this->options['path'],
                 $this->options['domain'],
                 $this->options['secure'],
-                $this->options['httponly']
+                $this->options['httponly'],
+                false,
+                $this->options['samesite']
             )
         );
     }

vendor/symfony/security/Http/RememberMe/RememberMeServicesInterface.php

@@ -11,9 +11,9 @@
 
 namespace Symfony\Component\Security\Http\RememberMe;
 
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
 /**
  * Interface that needs to be implemented by classes which provide remember-me
@@ -30,8 +30,6 @@ interface RememberMeServicesInterface
     /**
      * This attribute name can be used by the implementation if it needs to set
      * a cookie on the Request when there is no actual Response, yet.
-     *
-     * @var string
      */
     const COOKIE_ATTR_NAME = '_security_remember_me_cookie';
 
@@ -48,9 +46,7 @@ interface RememberMeServicesInterface
      * make sure to throw an AuthenticationException as this will consequentially
      * result in a call to loginFail() and therefore an invalidation of the cookie.
      *
-     * @param Request $request
-     *
-     * @return TokenInterface
+     * @return TokenInterface|null
      */
     public function autoLogin(Request $request);
 
@@ -59,10 +55,8 @@ interface RememberMeServicesInterface
      * credentials supplied by the user were missing or otherwise invalid.
      *
      * This method needs to take care of invalidating the cookie.
-     *
-     * @param Request $request
      */
-    public function loginFail(Request $request);
+    public function loginFail(Request $request, \Exception $exception = null);
 
     /**
      * Called whenever an interactive authentication attempt is successful
@@ -74,10 +68,6 @@ interface RememberMeServicesInterface
      * Instead, implementations should typically look for a request parameter
      * (such as a HTTP POST parameter) that indicates the browser has explicitly
      * requested for the authentication to be remembered.
-     *
-     * @param Request        $request
-     * @param Response       $response
-     * @param TokenInterface $token
      */
     public function loginSuccess(Request $request, Response $response, TokenInterface $token);
 }

vendor/symfony/security/Http/RememberMe/ResponseListener.php

@@ -11,9 +11,9 @@
 
 namespace Symfony\Component\Security\Http\RememberMe;
 
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
-use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
 /**
  * Adds remember-me cookies to the Response.
@@ -22,9 +22,6 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  */
 class ResponseListener implements EventSubscriberInterface
 {
-    /**
-     * @param FilterResponseEvent $event
-     */
     public function onKernelResponse(FilterResponseEvent $event)
     {
         if (!$event->isMasterRequest()) {
@@ -44,6 +41,6 @@ class ResponseListener implements EventSubscriberInterface
      */
     public static function getSubscribedEvents()
     {
-        return array(KernelEvents::RESPONSE => 'onKernelResponse');
+        return [KernelEvents::RESPONSE => 'onKernelResponse'];
     }
 }

vendor/symfony/security/Http/RememberMe/TokenBasedRememberMeServices.php

@@ -31,7 +31,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
      */
     protected function processAutoLoginCookie(array $cookieParts, Request $request)
     {
-        if (count($cookieParts) !== 4) {
+        if (4 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie is invalid.');
         }
 
@@ -50,7 +50,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
         }
 
         if (!$user instanceof UserInterface) {
-            throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
+            throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', \get_class($user)));
         }
 
         if (true !== hash_equals($this->generateCookieHash($class, $username, $expires, $user->getPassword()), $hash)) {
@@ -71,7 +71,7 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
     {
         $user = $token->getUser();
         $expires = time() + $this->options['lifetime'];
-        $value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());
+        $value = $this->generateCookieValue(\get_class($user), $user->getUsername(), $expires, $user->getPassword());
 
         $response->headers->setCookie(
             new Cookie(
@@ -81,7 +81,9 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
                 $this->options['path'],
                 $this->options['domain'],
                 $this->options['secure'],
-                $this->options['httponly']
+                $this->options['httponly'],
+                false,
+                $this->options['samesite']
             )
         );
     }
@@ -89,10 +91,10 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
     /**
      * Generates the cookie value.
      *
-     * @param string $class
-     * @param string $username The username
-     * @param int    $expires  The Unix timestamp when the cookie expires
-     * @param string $password The encoded password
+     * @param string      $class
+     * @param string      $username The username
+     * @param int         $expires  The Unix timestamp when the cookie expires
+     * @param string|null $password The encoded password
      *
      * @return string
      */
@@ -100,26 +102,26 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
     {
         // $username is encoded because it might contain COOKIE_DELIMITER,
         // we assume other values don't
-        return $this->encodeCookie(array(
+        return $this->encodeCookie([
             $class,
             base64_encode($username),
             $expires,
             $this->generateCookieHash($class, $username, $expires, $password),
-        ));
+        ]);
     }
 
     /**
-     * Generates a hash for the cookie to ensure it is not being tempered with.
+     * Generates a hash for the cookie to ensure it is not being tampered with.
      *
-     * @param string $class
-     * @param string $username The username
-     * @param int    $expires  The Unix timestamp when the cookie expires
-     * @param string $password The encoded password
+     * @param string      $class
+     * @param string      $username The username
+     * @param int         $expires  The Unix timestamp when the cookie expires
+     * @param string|null $password The encoded password
      *
      * @return string
      */
     protected function generateCookieHash($class, $username, $expires, $password)
     {
-        return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret());
+        return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
     }
 }